bladex/blade-auth/src/main/java/org/springblade/auth/service/BladeUserDetailsServiceImpl.java

/*
 *      Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
 *
 *  Redistribution and use in source and binary forms, with or without
 *  modification, are permitted provided that the following conditions are met:
 *
 *  Redistributions of source code must retain the above copyright notice,
 *  this list of conditions and the following disclaimer.
 *  Redistributions in binary form must reproduce the above copyright
 *  notice, this list of conditions and the following disclaimer in the
 *  documentation and/or other materials provided with the distribution.
 *  Neither the name of the dreamlu.net developer nor the names of its
 *  contributors may be used to endorse or promote products derived from
 *  this software without specific prior written permission.
 *  Author: Chill 庄骞 (smallchill@163.com)
 */
package org.springblade.auth.service;

import io.jsonwebtoken.Claims;
import lombok.AllArgsConstructor;
import lombok.SneakyThrows;
import org.apache.commons.lang.StringUtils;
import org.springblade.auth.constant.AuthConstant;
import org.springblade.auth.utils.TokenUtil;
import org.springblade.common.cache.CacheNames;
import org.springblade.core.jwt.JwtUtil;
import org.springblade.core.jwt.props.JwtProperties;
import org.springblade.core.redis.cache.BladeRedis;
import org.springblade.core.tool.api.R;
import org.springblade.core.tool.utils.*;
import org.springblade.system.cache.ParamCache;
import org.springblade.system.entity.Tenant;
import org.springblade.system.feign.ISysClient;
import org.springblade.system.user.entity.User;
import org.springblade.system.user.entity.UserInfo;
import org.springblade.system.user.enums.UserEnum;
import org.springblade.system.user.feign.IUserClient;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
import org.springframework.stereotype.Service;

import javax.servlet.http.HttpServletRequest;
import java.time.Duration;
import java.util.List;

/**
 * 用户信息
 *
 * @author Chill
 */
@Service
@AllArgsConstructor
public class BladeUserDetailsServiceImpl implements UserDetailsService {

    public static final Integer FAIL_COUNT = 5;
    public static final String FAIL_COUNT_VALUE = "account.failCount";

    private final IUserClient userClient;
    private final ISysClient sysClient;

    private final BladeRedis bladeRedis;
    private final JwtProperties jwtProperties;

    @Override
    @SneakyThrows
    public BladeUserDetails loadUserByUsername(String username) {
        HttpServletRequest request = WebUtil.getRequest();
        // 获取用户绑定ID
        String headerDept = request.getHeader(TokenUtil.DEPT_HEADER_KEY);
        String headerRole = request.getHeader(TokenUtil.ROLE_HEADER_KEY);
        // 获取租户ID
        String headerTenant = request.getHeader(TokenUtil.TENANT_HEADER_KEY);
        String paramTenant = request.getParameter(TokenUtil.TENANT_PARAM_KEY);
        String password = request.getParameter(TokenUtil.PASSWORD_KEY);
        String grantType = request.getParameter(TokenUtil.GRANT_TYPE_KEY);
        // 判断租户请求头
        if (StringUtil.isAllBlank(headerTenant, paramTenant)) {
            throw new UserDeniedAuthorizationException(TokenUtil.TENANT_NOT_FOUND);
        }
        // 判断令牌合法性
        if (!judgeRefreshToken(grantType, request)) {
            throw new UserDeniedAuthorizationException(TokenUtil.TOKEN_NOT_PERMISSION);
        }

        // 指定租户ID
        String tenantId = StringUtils.isBlank(headerTenant) ? paramTenant : headerTenant;
        // 判断登录是否锁定
        int count = getFailCount(tenantId, username);
        int failCount = Func.toInt(ParamCache.getValue(FAIL_COUNT_VALUE), FAIL_COUNT);
        if (count >= failCount) {
            throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_TOO_MANY_FAILS);
        }

        // 获取租户信息
        R<Tenant> tenant = sysClient.getTenant(tenantId);
        if (tenant.isSuccess()) {
            if (TokenUtil.judgeTenant(tenant.getData())) {
                throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT_PERMISSION);
            }
        } else {
            throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT);
        }

        // 获取用户类型
        String userType = Func.toStr(request.getHeader(TokenUtil.USER_TYPE_HEADER_KEY), TokenUtil.DEFAULT_USER_TYPE);

        // 远程调用返回数据
        R<UserInfo> result = null;
        // 根据不同用户类型调用对应的接口返回数据，用户可自行拓展
        if (userType.equals(UserEnum.WEB.getName())) {
            result = userClient.userInfo(tenantId, username, UserEnum.WEB.getName());  //客户端-填报
        } else if (userType.equals(UserEnum.APP.getName())) {
            result = userClient.userInfo(tenantId, username, UserEnum.APP.getName()); //APP
        } else if (userType.equals(UserEnum.ARCHIVES.getName())) {
            result = userClient.userInfo(tenantId, username, UserEnum.ARCHIVES.getName()); //档案
        } else if (userType.equals(UserEnum.MANAGER.getName())) {
            result = userClient.userInfo(tenantId, username, UserEnum.MANAGER.getName());  //后管
        } else if (userType.equals(UserEnum.HAC.getName())) {
            result = userClient.userInfo(tenantId, username, UserEnum.HAC.getName());  //后管
        }


        //TODO

        // 判断返回信息
        assert result != null;
        if (result.isSuccess()) {
            UserInfo userInfo = result.getData();
            User user = userInfo.getUser();
            // 用户不存在,但提示用户名与密码错误并锁定账号
            if (user == null || user.getId() == null) {
                setFailCount(tenantId, username, count);
                throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND);
            }

            //用户存在但为封禁状态status=0,禁止登陆
            if (user.getStatus() == 0) {
                throw new UserDeniedAuthorizationException(TokenUtil.USER_STATUS_BAN);
            }

            // 用户存在但密码错误,超过次数则锁定账号
            if (grantType != null && !grantType.equals(TokenUtil.REFRESH_TOKEN_KEY) && !user.getPassword().equals(DigestUtil.hex(password))) {
                setFailCount(tenantId, username, count);
                throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND);
            }
            // 用户角色不存在
            if (Func.isEmpty(userInfo.getRoles())) {
                throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_ROLE);
            }

            /* 校验登陆账号权限，客户端填报、试验userType=1，app端userType=2，档案userType=3，后管userType=4 ，管控userType=5 ，征拆userType=6 */
            if (user.getUserType().contains(("1"))
                    || user.getUserType().contains(("2"))
                    || user.getUserType().contains(("3"))
                    || user.getUserType().contains(("4"))
                    || user.getUserType().contains(("5"))
                    || user.getUserType().contains(("6"))) {
                if (!("1,2,3,4,5,6").equals(user.getUserType())) {
                    //如果不是全部权限，那么分批校验登陆平台权限
                    this.judgeLoginPermission(user);
                }
            } else {
                throw new UserDeniedAuthorizationException(TokenUtil.USER_ACCOUNT_NO_TYPE);
            }

            // 多部门情况下指定单部门
            if (Func.isNotEmpty(headerDept) && user.getDeptId().contains(headerDept)) {
                user.setDeptId(headerDept);
            }
            // 多角色情况下指定单角色
            if (Func.isNotEmpty(headerRole) && user.getRoleId().contains(headerRole)) {
                R<List<String>> roleResult = sysClient.getRoleAliases(headerRole);
                if (roleResult.isSuccess()) {
                    userInfo.setRoles(roleResult.getData());
                }
                user.setRoleId(headerRole);
            }
            // 成功则清除登录错误次数
            delFailCount(tenantId, username);
            return new BladeUserDetails(user.getId(), user.getPhone(),
                    user.getTenantId(), StringPool.EMPTY, user.getName(), user.getRealName(), user.getDeptId(), user.getPostId(), user.getRoleId(), Func.join(userInfo.getRoles()), Func.toStr(user.getAvatar(), TokenUtil.DEFAULT_AVATAR),
                    username, AuthConstant.ENCRYPT + user.getPassword(), userInfo.getDetail(), true, true, true, true,
                    AuthorityUtils.commaSeparatedStringToAuthorityList(Func.join(result.getData().getRoles())));
        } else {
            throw new UsernameNotFoundException(result.getMsg());
        }
    }

    /**
     * 获取账号错误次数
     *
     * @param tenantId 租户id
     * @param username 账号
     * @return int
     */
    private int getFailCount(String tenantId, String username) {
        return Func.toInt(bladeRedis.get(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username)), 0);
    }

    /**
     * 设置账号错误次数
     *
     * @param tenantId 租户id
     * @param username 账号
     * @param count    次数
     */
    private void setFailCount(String tenantId, String username, int count) {
        bladeRedis.setEx(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username), count + 1, Duration.ofMinutes(30));
    }

    /**
     * 清空账号错误次数
     *
     * @param tenantId 租户id
     * @param username 账号
     */
    private void delFailCount(String tenantId, String username) {
        bladeRedis.del(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username));
    }

    /**
     * 校验refreshToken合法性
     *
     * @param grantType 认证类型
     * @param request   请求
     */
    private boolean judgeRefreshToken(String grantType, HttpServletRequest request) {
        if (jwtProperties.getState() && jwtProperties.getSingle() && StringUtil.equals(grantType, TokenUtil.REFRESH_TOKEN_KEY)) {
            String refreshToken = request.getParameter(TokenUtil.REFRESH_TOKEN_KEY);
            Claims claims = JwtUtil.parseJWT(refreshToken);
            String tenantId = String.valueOf(claims.get("tenant_id"));
            String userId = String.valueOf(claims.get("user_id"));
            String token = JwtUtil.getRefreshToken(tenantId, userId, refreshToken);
            return StringUtil.equalsIgnoreCase(token, refreshToken);
        }
        return true;
    }

    /**
     * 校验登陆账号权限
     *
     * @param user user信息
     * @author liuyc
     */
    private void judgeLoginPermission(User user) {
        //获取平台信息
        String clientId = TokenUtil.getClientIdFromHeader();
        String result = "0";
        if (clientId != null) {
            switch (clientId) {
                case "client":
                    result = "1"; //WEB = 客户端
                    break;
                case "uni-app":
                    result = "2"; //APP = APP端
                    break;
                case "archives":
                    result = "3"; //archives = 档案
                    break;
                case "saber":
                    result = "4"; //manger = 后管
                    break;
                case "hac":
                    result = "5"; //hac = 成本管控系统
                    break;
                case "lar":
                    result = "6"; //lar = 征拆系统
                    break;
            }
        }

        if ((("1").equals(result) && user.getUserType().contains("1")) //web
                || (("2").equals(result) && user.getUserType().contains("2")) //app
                || (("3").equals(result) && user.getUserType().contains("3")) //档案
                || (("4").equals(result) && user.getUserType().contains("4")) //后管
                || (("5").equals(result)) // 成本管控系统
                || (("6").equals(result)) // 征拆系统
        ) {
            //放行
            return;
        }
        throw new UserDeniedAuthorizationException(TokenUtil.USER_ACCOUNT_NO_PERMISSION);
    }


}